Wireless (General)

  • 1.  Using TLS Certificate fields for authentication mapping

    Posted 06-08-2018 20:08

    Hello,

    can I use TLS certificate fields like "TLS-Cert-Issuer" or "TLS-Cert-Common-Name" (or other fields mentioned here: https://extremeportal.force.com/ExtrArticleDetail?an=000064090) to do the authentication mapping in the NAC AAA configuration to e. g. switch between local authentication or proxy radius if I use 802.1x?

    RackMultipart20180608-114138-1wldydo-AuthMapping_inline.jpg

     


    If yes, how can I do set? What do I have to enter in the fields (User/MAC/Host)?

    Best regards
    Stephan

     



  • 2.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-11-2018 04:48
    Stephan, are you looking to use a cert field for making a decision if to proxy the request to another server or auth locally? or are you looking to perform the auth by ExtremeControl server but use a cert field to make an authorization decision as what network service to assign?


  • 3.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-11-2018 04:57
    Hello Shumlik,

    I want to make a decision if to proxy or do a locally auth.

    Best regards
    Stephan


  • 4.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-12-2018 03:29
    Hi Stephan.

    the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

    I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

    Regards

    Z.


  • 5.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-12-2018 03:29
    Thank you Pala,

    can I use only parts of the certificate CN, too? Like "host/*" in an user name.

    Best regards
    Stephan


  • 6.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-12-2018 03:29
    Yes you can use wildcard to check the username. Username is the CN.


  • 7.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-12-2018 03:29
    Thank you Pala.


  • 8.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-20-2018 13:31



    I can only show a screenshot in OneView.

    You can make a User Group and Change it to RADIUS User Group, then you can rely on TLS Attributes.
    We did it with TLS-Client-Cert-Common-Name, but others should also be possible.

    Does anyone has a list of which attributes are possible?


  • 9.  RE: Using TLS Certificate fields for authentication mapping

    Posted 06-20-2018 13:31
    Hello Anton,

    you will see the attributes in the KB article following the link in my first text above.

    Best regards
    Stephan